No, SSH does not. Have you ever actually verified a host fingerprint? Of course not, no one does.
That's the way it's supposed to work. You know the first time you logon to a server and it asks if you trust it? You're supposed to call up the server admin and get them to read off the fingerprint, or have them email it to you, or get it from some other out-of-band channel.
And no-one, nowhere actually verifies host fingerprints. Even security conscious people. And what do people do when they get that warning about a modified fingerprint? Just delete the entry from authorized_hosts and re-connect.
So ssh actually does a really shitty job handling key exchange.
Anyway, the closest thing to a real alternative to https and CAs is monkeysphere (OpenPGP WoT for servers), but no-one uses that.
If I got an error about a modified footprint I wouldn't "just delete the entry" and re-connect... unless I know why it's complaining. If there's a reasonable explanation for why the keys are different then I might do that.
While 'security conscious people' might not verify the fingerprint out-of-band when adding it the first time, I'm sure most of them wouldn't just remove the authorized_hosts entry...
Yes, I often see this and it's almost always that a VIP has moved physical hosts for whatever reason (e.g. planned maintenance on the original box). Occasionally it's that someone's re-JumpStart'd the box. That's sufficient to create a false sense of security, if it ever happened "for real" I would likely dismiss it.
but that is the case in which yoiu _already have_ the footprint. Parent^2 is talking about the first connection, which is when you validate the fingerprint the first time.
That doesn't make any sense to me. There are even free services that can perform the validation for you based on a "crowdsourced" approach to verification, like Perspectives:
Several ssh implementations also support using certificates as hostkeys. Of course the ssh client will still need to be configured to trust the issuer but it can help with the 'first-connection-hostkey-fingerprint-verification' problem. In my experience most users will never verify the fingerprint.
(Hint: https should have been implemented the same way. CAs are fundamentally broken.)